All customer data is hosted on server infrastructure provided by Amazon Web Services and on computers located at Third Sector Design work premises.

All server infrastructure is protected by appropriately configured firewalls. Administrator access to servers is via encrypted SSH access.

Any portable devices, such as laptops, that contain customer data are protected by full disk encryption and strong passwords.

All of our servers and devices are regularly updated with security patches and other necessary updates.

All client data is backed up in two secure physically separate data centres. We keep snapshot and point-in-time backups, allowing us to restore data to a previous state if necessary.

The point-in-time backup schedule is as follows:

• every day for 14 days
• every week for 8 weeks
• every month for 24 months
• every year for 6 years

All personal data received from clients, such as exports from legacy systems, is stored securely on the above specified services and devices.

In the event of a personal data breach, our response will be informed by, and in line with, the guidance on Personal data breaches published on the ICO website (https://ico.org.uk).

Michael McAndrew, Director of Third Sector Design, is responsible for implementing and reviewing this security policy.

This policy was last reviewed on 1st November 2024. The next review is due on 1st November 2025.